Encrypted

Easy-to-use

Pixelated has a modern web interface that fully automates encryption and key management.

Decentralized

Pixelated is straight-forward to install for system adminstrators in an organisation or company.

Modern email with privacy

Pixelated is a software distribution. It gives organizations the means to host an email solution that provides a modern, compelling web interface as well as privacy through proven PGP encryption. With Pixelated, using encryption no longer involves complicated setup procedures or a confusing user experience.

Pixelated is a response to mass surveillance

Email communication is subject to mass dragnet surveillance. The reason such surveillance exists in its current form is because it is so cheap and easy to do. When in transit email is often not protected and can be read in full by anyone with access to the network, at any of the many network nodes the email passes through. When at rest on the server, the email is often not protected either, and can be accessed by targeting the company that runs the mail servers.

The problem is made worse because many individuals and organizations now use proprietary Software as a Service (SaaS) products like Google Mail or Outlook.com for their email, thus concentrating email handling and storage to a small number of companies. This centralisation of email handling allows criminal organisations as well as nation state agencies to access a vast amount of email traffic by targeting just a handful of companies.

The solution to these problems lies in decentralization and encryption. If we can achieve widespread use of encrypted email it will be too costly and economically unreasonable to routinely intercept the majority of email on the internet. It is likely that a motivated adversary will always find a way to intercept specifically targeted communication, but with encyption and decentralization we should be able to counter mass surveillance on the scale we have to endure today.

Widespread use of encryption will also show that it is absurd to make the assumption that it is only people with something to hide who use encryption, an argument that we often hear today as justification for attempts to pass legislation that restricts privacy preserving communication.

Frequently asked questions

Where and how does the crypto happen? Where is my private key stored?

We run the encryption and decryption routines on the Pixelated server. To be able to do this the keys must be available on the server. Many technical folks out there will tell you that this is bad, and in certain cases they may be right. However, in the end it all boils down to the threat model. In the next answer we explain why using a server-based approach is actually a reasonable idea in our case.

My friends say that my private key should stay on my trusted device, why do you store it on the server?

Tools to encrypt email have been around for years, one of the most-used technologies today is PGP, which was first released in 1991. Email itself is such a central part of the Internet and has such a rich ecosystem that it is near impossible to replace with something else. (Remember Google Wave?) Despite all that, encrypted email has never taken off at a large scale because it is too difficult to use.

Having been at many crypto parties we have experienced bewildered looks when users are confronted with questions about key sizes expressed in bits, when seeing prompts to move the mouse to create entropy, when they are asked to read out key fingerprints to each other to verify that they really have the right key. We have also seen countless examples of private keys being lost, of course, in many cases by users who have no idea what a revocation certificate is, never mind having created one. Then there is the issue of using multiple devices... All of this is so intimidating that most people chose convenience over privacy, convincing themselves that they have nothing to hide and nobody is interested in them anyway.

The Pixelated team has made considered choices surrounding cryptography so you don't have to. It provides a solid setup without bothering the users. And, yes, it is correct that whoever operates the Pixelated server you use can intercept your mail if they are willing to put in some work. However, consider the alternatives: would you rather trust the people who operate the server, people who can actively choose, or would you, because you're reverting to unencrypted email, want to trust any number of parties that you can't chose and don't even know about? We feel that trusting one group of people is vastly preferrable. If you feel you can't trust anyone then your friends are right and you should keep the private keys only on devices you have complete control over and can be sure nobody can tamper with, and make backups, encrypted of course.

How much do I need to trust my Pixelated provider? Can an attacker read my mails? Is there a difference to Lavabit?

In order to answer this, let's take a step-by-step look at what happens from the time you log into Pixelated and when an email reaches the server to when you see it in your browser.

When you create your Pixelated account for the first time, Pixelated creates an encryption key on your behalf. This encryption key itself is locked with the password you choose.

When an incoming email reaches the server, it is encrypted with your key (metadata and all) and stored in the server's database

When you login to Pixelated, your encryption key is unlocked with the password you supply.

When you view the email, it is being decrypted on-the-fly and displayed your browser.

So now let's think about what that does and does not protect you against:

Your emails are encrypted at rest on the provider's server. If your provider is being hacked, the attacker can't get to the contents of your inbox.

Your emails are sent encrypted, so if somebody listens to traffic on the wire, they won't see the content of your email, but they will see who the email is for, the subject, and other information about the message. (This is a flaw of the protocol, not ours. Sorry.)

Your encryption happens on the server, so if an attacker manipulates the server to record everything happening on it, they could see the contents of your inbox. This attack could be conducted mostly by resourceful adversaries like intelligence services
and other nation-states-level attackers. It is an attack on a much greater time scale, which makes it harder to pull off without being detected, and requires more funds and sophistication.

Pixelated has similarities to Lavabit's design and also its shortcomings. In detail here, an email provider has three main adversaries:

An administrator with access to the server.

An attacker who can get access to the server.

An attacker who can intercept the communication to the server.

Pixelated shares these vulnerabilities, just like a conventional (unencrypted) email service, despite the use of cryptography. The security is anchored to the user-supplied password. And if the operator of the server or an attacker manages to modify the code for Pixelated they could gain access to the password.

So there is a legitimate question: Is it this worth the trouble at all? Yes, it is, for two reasons:

Reason #1: Just because something does not give you perfect security, that doesn't mean there's no value to it. Email is a distributed system. You can use your Pixelated account to exchange encrypted emails with somebody who uses other email encryption based on PGP, e.g. using Apple Mail with the GPG Suite, or Thunderbird with Enigmail. In this use case you know you don't have to trust anyone other than the operator of your Pixelated server.

Reason #2: If you don't want to trust any email provider, Pixelated makes it easy to set up your own email service!

What about activists and activist organisations?

Privacy, mass surveillance, and activism are often considered together. Activists have a need for strong privacy (see Tim Bray's article on privacy levels for a good discussion of strong vs common privacy) but those who have been specifically targeted have needs that go far beyond what is needed to counter mass surveillance. Thus, a solution that can help an activist defend himself/herself against sustained, targeted surveillance is likely to be so involved that it would be unusable for the majority of email users. We do not think it is possible to build a solution that can be widely used as a regular email solution while also providing the features necessary to counter targeted surveillance. Having said that, Pixelated is built in a way that should allow to derive activist-oriented products from it.

Status of Pixelated

The initial work on Pixelated was done by a team funded by ThoughtWorks between July 2014 and June 2017. Pixelated has been used internally and by another organisation, showing that Pixelated and the concepts behind it are reasonable and practical.

The outcome from this phase is working software that validates the main hypothesis; namely when the trade-off between encryption and convenience is removed, by making encryption transparent, people will adopt encrypted email.

Pixelated is ready to be used even though not all features are completed. The Github issues on the pixelated-user-agent repository provide an overview of currently in-flight work. A major incomplete feature is Account Recovery, which allows users to regain access to their inbox when they forget their password. For this feature, following the underlying vision for Pixelated, we designed a workflow that balances user friendlyness with security. Debian packages are available as Github releases.

Given that the phase during which ThoughtWorks funded the development of Pixelated has come to an end, there is currently no / not much active development on Pixelated, but if you are interested in using Pixelated or becoming a contributor to the project, please drop us a note at pixelated-team@thoughtworks.com.